Re: [squid-users] request_header_access and external acl

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 12 Mar 2009 15:13:05 +1300 (NZDT)

> hello all -
> I've run into some trouble using the request_header_access directive
> with an external acl. A snippet of my config file is below:
>
> -----
> external_acl_type check_clientcert children=1 concurrency=0 ttl=3
> negative_ttl=3 %USER_CERT_CN /etc/squid3/helper.pl
> acl matches-clienttest-cert-name external check_clientcert
> clienttest-cert-name
>
> #http_access allow matches-clienttest-cert-name
> #http_access deny all
> request_header_access User-Agent deny matches-clienttest-cert-name
> ------
>
> If i uncomment the http_access lines, i am only granted access if i
> present the correct client certificate, so the external acl seems to be
> configured correctly. I also see lines like
>
> -----
> 2009/03/11 14:12:54.243| helperDispatch: Request sent to
> check_clientcert #1, 14 bytes
> 2009/03/11 14:12:54.243| helperSubmit: - clienttest-cert-name
> -----
>
> in the output of squid -X. However, when I run squid with the config
> file above, the User-Agent header is not removed, and I see no
> "helperDispatch" or "helperSubmit" in the log output. Can anyone shed
> some light on why external acls may not be invoked this way?
>
>
> Taking a step back, my larger goal is to run an https accelerator which
> accepts client-certificate authenticated requests and passes information
> about the client cert to the origin server. My idea right now is to put
> the client certificate CN into the User-Agent header, but if anyone has
> a better idea, my current solution seems pretty hacked together. Thanks
> for your help.
>
> -tucker cunningham
>

What version of Squid?

3.x has a small glitch parsing of CERT info.

http://www.squid-cache.org/Versions/v3/3.1/changesets/b9429.patch

Amos
Received on Thu Mar 12 2009 - 02:13:24 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 12 2009 - 12:00:02 MDT